1

I'm learning android application pen testing and I'm kinda lost about what can do an attacker that control the content of a webview ?

I guess if there is no javascript enabled there is no impact, right ? But if there is JavaScript enabled but no JavaScript interface or other dangerous setup, what can do an attacker ?

I know he/she can make an alert box or write anything on the page but it doesn't provide impact.

Is there some other things an attacker can do with javascript enabled and nothing else ?

Thanks

Neolex
  • 374
  • 3
  • 15

1 Answers1

1

it depends on who the attacker & who the victim is in the whole equation. If we're talking about the attacker being an external party, who can potentially get some javascript executed in a vulnerable page inside the webview, then yes, to some extent your assumption is right. Without javascript interface enabled, there is not much that the attacker would be able to do to abuse the underlying app (the victim in this case).

However, if it's the other way round, where the victim is the page getting loaded inside the webview of the app (attacker controlled / malicious), then there's a lot that can be done to harm the victim, of course depending on how sensitive the victim page is.

I recently wrote a blogpost explaining this exact exploit scenario in (too much) details. You may want to check it out.

qre0ct
  • 1,492
  • 3
  • 19
  • 30
  • Thank you for the answer, it's perfect, I learned a lot ! – Neolex Apr 03 '20 at 06:13
  • So the only impact would be if the app used is malicious and would be a malicious browser ? No impact in controlling the content of a webview of a different app from your app with only javascript enabled , right ? – Neolex Apr 03 '20 at 06:36
  • I don't think so, unless, the the two apps can talk to each other somehow. – qre0ct Apr 04 '20 at 12:40
  • Ok thank you for your help ! – Neolex Apr 05 '20 at 12:17